IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Actively exploited zero-day and four 'critical' vulnerabilities fixed in Microsoft's July Patch Tuesday

The month's list of 84 bug fixes has been branded "boring" by some experts but should be welcome news to security personnel

Microsoft’s latest monthly security updates for July have been released this week, with 84 total vulnerabilities fixed including one actively exploited zero-day.

The zero-day (CVE-2022-22047) is a privilege escalation flaw affecting Windows Client/Server Runtime Submission (CSRSS), the exploitation of which could grant attackers system privileges.

It has been given a CVSSv3 score of 7.8/10 - a ‘high’ rating - and Tenable said it is a vulnerability that is most likely to be used after initially gaining a foothold in an organisation. 

“This type of vulnerability is likely to have been used as part of post-compromise activity, once an attacker has gained access to their targeted system and run a specially crafted application,” it said.

No other details on the zero-day have been released other than Microsoft’s assessment that exploitation requires a low level of complexity, albeit through a local attack vector.

This means an attacker would either have to have their hands on the victim’s keyboard or be able to control a machine remotely, supporting Tenable’s conclusion that it would likely be used after initially compromising an organisation.

Given that CVE-2022-22047 is the only actively exploited bug in this month’s list of patches, businesses are more seriously advised to patch this one especially.

The US’ cyber security authority CISA added the zero-day to its list of mandatory patches that all federal civilian and executive branch agencies must deploy pursuant to the binding operational directive 22-01, first imposed last year but regularly updated since.

Four critical-rated vulnerabilities were fixed in this month’s ‘Patch Tuesday’, though none of these are believed to have been actively exploited. 

The first of these is CVE-2022-30222 which has been given a CVSSv3 score of 8.4/10. The remote code execution (RCE) vulnerability affects PCs with a Japanese language pack installed and attackers can use the input method editor (IME) to gain system privileges.

An IME is software that allows users to input characters that aren’t typically supported by qwerty keyboards. Users type combinations of keys to display characters that otherwise aren’t present on their keyboard, rather than hitting dedicated buttons for specific characters.

CVE-2022-30216 received a severity rating of 8.8/10 and is a Windows Server service tampering vulnerability, the exploitation of which is “more likely” according to Microsoft.

To exploit the bug, an attacker would need to be authenticated which may limit the real-world effectiveness, unless the attacker could upload a malicious certificate to the Windows Server service.

Another 8.8-rated bug was CVE-2022-30221, an RCE flaw affecting the Windows Graphics Component. Exploitation is less likely with this one given that a victim would have to be convinced to connect to a remote desktop protocol (RDP) server, limiting real-world impact. 

Regardless, if a business’ employee was convinced to join an attacker-controlled RDP server, they could exploit the flaw to execute code on the victim’s system.

The final ‘critical’ vulnerability for this month is the 8.8-rated CVE-2022-20226, a privilege escalation bug again affecting Windows CSRSS, like the aforementioned zero-day

Exploitation is assessed as “less likely” again by Microsoft, but an authenticated attacker could send a specially crafted request to the CSRSS to elevate their privileges from AppContainer to the system, before executing code or accessing resources.

In summary, July’s Patch Tuesday has been described by some experts as “boring” given the low number of seriously threatening security vulnerabilities compared to months gone by.

For the full list of vulnerabilities and Microsoft’s assessments on each, visit the company’s dedicated security update guide.

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Recommended

Microsoft blocking Tutanota users from Teams registration, claims fix unfeasible
Business operations

Microsoft blocking Tutanota users from Teams registration, claims fix unfeasible

8 Aug 2022
Microsoft wins five-year digital transformation deal with Australia’s largest telco
digital transformation

Microsoft wins five-year digital transformation deal with Australia’s largest telco

26 Jul 2022
Slack Connect vs Microsoft Teams Connect: Better than email?
collaboration

Slack Connect vs Microsoft Teams Connect: Better than email?

20 Jul 2022
Microsoft announces simulator for autonomous aircraft development
Cloud

Microsoft announces simulator for autonomous aircraft development

20 Jul 2022

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
The benefits of a hardware update for SMBs
Sponsored

The benefits of a hardware update for SMBs

2 Aug 2022